ACS 4.2 (Trial) User Group Restrictions?

I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.

So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.

For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more